ScienceLogic Root Cause Timeline Widget

Download this manual as a PDF file

Features

  • Automatically adds Root Cause reports in ScienceLogic SL1. This allows you to see details of root cause in any SL1 dashboard.
  • The Root Cause Timeline widget in SL1 dashboards displays suggestions, accepted and custom alerts, and the Zebrium "word cloud" with summary root cause analysis (RCA) based on the relevant logs associated with the suggestions and alerts.
  • This leads to faster Mean Time to Resolution (MTTR) and less time manually hunting for root cause.
  • Requires SL1 12.1.0 or later.

How It Works

The recommended mode of operation for observability dashboard integrations is to use the Zebrium Auto-Detect mode as an accurate mechanism for explaining the reason something went wrong. In this mode, you continue to use your existing rules, alerts, and metrics as the primary source of problem detection.

You can then review Zebrium RCA report findings directly in your SL1 dashboards alongside other metrics to explain the reason behind the problems for which you were alerted.

Configuring the Root Cause Timeline Widget in SL1

For Zebrium users, a Root Cause Timeline visualization is available on the Dashboards page in SL1. This widget visualization lets you see when the AI/ML (machine learning) engine detects a possible or confirmed issue. When you hover over an icon for a suggestion or an alert in the widget, a pop-up displays a title and a word cloud that contains additional information about the likely root cause based on the relevant logs associated with the issue.

You can click the icon for a suggestion or an alert on the Root Cause Timeline visualization to go to the Zebrium user interface, where you can access further details and perform optional customizations on the Root Cause Report page.

The Root Cause Timeline widget is specific to "AIML Predictions" widget types only.

If you selected Root Cause Timeline as the visualization, complete the following fields:

  • Title. Enter a title for the widget.

  • Zebrium Connection ID. Enter the unique connection ID from Zebrium, which you can find by creating a service connection between SL1 and Zebrium. The value appears on the Service Connections page (Manage > Service Connections) in the SL1 user interface. For more information, see Configuring a Zebrium Connection for the Root Cause widget.

  • Zebrium Service Groups. Enter the name or names of the service groups in Zebrium that you want to monitor with this widget. If you have more than one service group, separate the names with commas. If you want to view sample alerts for troubleshooting purposes, include the "integration_test" service group here. If you leave this field blank, the widget will include all of the service groups. Optional.

    If you try the sample alert feature, make sure to add the special integration_test service group to this field.

For more information about using the Root Cause Timeline visualization with "AIML Predictions" widget types, see Using the Root Cause Timeline Widget.

Configuring a Zebrium Connection for the Root Cause Timeline Widget in SL1

For Zebrium users, a Root Cause Timeline visualization is available on the Dashboards page in SL1. This widget visualization lets you see when the AI/ML (machine learning) engine detects a possible or confirmed issue. When you hover over an icon for a suggestion or an alert in the widget, a pop-up displays a title and a word cloud that contains additional information about the likely root cause based on the relevant logs associated with the issue.

You can click the icon for a suggestion or an alert on the Root Cause Timeline visualization to go to the Zebrium user interface, where you can access further details and perform optional customizations on the Root Cause Report page.

The Root Cause Timeline widget is specific to "AIML Predictions" widget types only.

Connecting Your Zebrium Instance to the Root Cause Timeline Widget

To establish communication between Zebrium and the Root Cause Timeline widget in SL1, you will need to create a service connection, which enables communication between SL1 and Zebrium.

This is a two-part process:

  1. Create an "SL1 Enhanced (12.x)" integration in the Zebrium user interface.
  2. Use the data from that integration to create the service connection in SL1.

Creating a Dashboard Widget Integration in Zebrium

You will need credentials for logging in to Zebrium to create the following integration.

To create an "SL1 Enhanced (12.x)" integration in Zebrium:

  1. Log in to your Zebrium instance.
  2. Go to the Integrations & Collectors page (Settings () > Integrations & Collectors) and click the SL1 Enhanced (12.x) button in the ScienceLogic section. The Integrations dialog appears.
  3. Click Create a New Integration. The Create Integration dialog appears.
  4. On the General tab, complete the following fields:
  • Integration Name. Type a name for the widget.
  • Deployment. Select the Zebrium deployment that you want to monitor.
  1. Click Save. The Your Integration Info dialog appears, with a summary of the key values for the widget integration.
  2. Make a note of each value, as you will use all three values when creating the service connection in SL1. You can click each value to automatically copy that value.
  3. Click OK. The new integration is added to the ScienceLogic Integrations dialog.

Creating a Service Connection in SL1

After you create the ScienceLogic integration in Zebrium, you will have the data you need to create the service connection in SL1.

To refer to this data in the Zebrium user interface, go to the Integrations & Collectors page (Settings () > Integrations & Collectors) and click the SL1 Ehanced (12.x) button in the ScienceLogic section, and then click the edit icon () for that integration. The Edit dialog displays all the relevant data you need for this procedure.

To create a Zebrium service connection in SL1:

  1. In SL1, go to the Service Connections page (Manage > Service Connections).

  2. Click Add Service Connection. The Create Zebrium Connection window appears.

  3. Complete the following fields:

    • Name. Type a name for this new service connection.

    • Access Token. Add the Access Token value from the Your Integration Info dialog or the Edit Integration dialog.

      You can also access this information on the Access Tokens page (Settings () > Access Tokens) in the Zebrium user interface.

    • Zebrium Endpoint URL. Add the Endpoint URL value from the Your Integration Info dialog or the Edit Integration dialog. Zebrium Cloud users can use the default value in this field, while Zebrium On Prem users will need to add the URL of their on-premises Zebrium instance.

    • Zebrium Deployment ID. Add the Deployment ID value from the Your Integration Info dialog or the Edit Integration dialog.

    • Share data with. Select the All Organizations toggle (turn it blue) to share with all existing and new organizations when you create them. Alternately, you deselect the All Organizations toggle (turn it gray) and select one or more organizations from the Selected Organizations drop-down to limit access to this connection to only the selected organizations.

  4. Click Save.
  5. On the Service Connections page, copy the Service Connection ID value from the ID column for the service connection you just created. You will use this value when you create the Root Cause Timeline widget for the AIML Predictions widget type.

Creating a Sample Alert for the Widget

To create a sample alert to display on the new widget, you will need to add the "integration_test" service group in the "SL1 Enhanced (12.x)" integration in the Zebrium user interface. You will not see the sample alert in SL1 unless you configure the connector or widget to include the "integration_test" service group.

  1. In the Zebrium user interface, go to the Integrations & Collectors page (Settings () > Integrations & Collectors) and click the SL1 Enhanced (12.x) button in the ScienceLogic section. The Integrations dialog appears.
  2. Click the edit button next to the integration with SL1 that you created earlier.
  3. Make sure that one of the service groups in the Service Groups drop-down includes integration_test. The Create Sample Alert button creates an alert in the integration_test service group.
  4. Click Save.
  5. After you update the service group, you can click Create Sample Alert to test your settings. If your settings were correct, a sample alert will display on the Alerts page in the Zebrium user interface.

Using the Root Cause Timeline Widget

The main section of the Timeline widget contains a time-based chart with different icons that represent the following Zebrium elements:

  • Suggestion (). A yellow diamond represents a suggestion, or a potential problem found by the AI/ML engine. When you click a yellow diamond, the RCA Report page for that suggestion opens in the Zebrium user interface. On that page, you can choose to accept or reject that suggestion. 
    • If you accept the suggestion, Zebrium will create a rule for the settings for that suggestion in the future.
    • If you reject the suggestion, Zebrium will no longer show a suggestion with the same settings as that suggestion in the widget.
  • Accepted Alert (). A green circle represents an accepted alert, a suggestion that you or another Zebrium user has accepted.
  • Custom Alert (). A blue triangle represents a custom alert, which you or another user defined by writing a regular expression in Zebrium that searches for a specific pattern.
  • Rejected Alert (). A red triangle represents a rejected alert, a suggestion that you or another Zebrium user has rejected as not relevant to your environment.

When you hover over an icon in the chart, a pop-up window appears with date and time information about that specific suggestion or alert, along with a title and word cloud that contains suggestions and information about the likely root cause.

The Timeline widget also includes the following graphical elements:

  • Spike. A gray vertical line appears on the widget if there are too many suggestions or alerts to show for a specific time. You can click and drag on the spike to zoom in so you can see all of the suggestions for that specific time. Click Reset zoom to go back to the default view settings.

  • Log Lines timeline. Hover over this gray line to view a pop-up window that displays the number of log lines that have been ingested within this time interval.

  • Rare Events timeline. Hover over this red line to view a pop-up window that displays the number of events marked as rare, such as possible issues or problems, that have been ingested within this time interval. Rare events are often the most diagnostic anomalies in the logs.

Working with Suggestions in the Zebrium User Interface

You can click the icon for a suggestion or an alert on the Timeline widget to go to the Zebrium user interface, where you can access further details and perform optional customizations on the Root Cause Report page.

For more information about what you can do on the Root Cause Report page, see Root Cause Reports in the Zebrium Documentation.